Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release/1.3] apply: use naive applier when running in UserNS #3779



Copy link

Cherry-pick #3763

`OverlayConvertWhiteout` calls `mknod c 0 0` which is not allowed when
running in a user namespace, even in Ubuntu kernel.

Although there is an alternative hacky way to create whiteouts without
calling mknod as Moby `overlay2` actually does(see containerd#3762), let's use
naive applier when running in UserNS and call it a day.

Close containerd#3762

Signed-off-by: Akihiro Suda <>
(cherry picked from commit c224edc)
Signed-off-by: Akihiro Suda <>
Copy link

theopenlab-ci bot commented Oct 25, 2019

Build succeeded.

Copy link

Codecov Report

Merging #3779 into release/1.3 will decrease coverage by <.01%.
The diff coverage is 0%.

Impacted file tree graph

@@               Coverage Diff               @@
##           release/1.3    #3779      +/-   ##
- Coverage        45.59%   45.59%   -0.01%     
  Files              116      116              
  Lines            11463    11465       +2     
  Hits              5227     5227              
- Misses            5336     5338       +2     
  Partials           900      900
Flag Coverage Δ
#linux 45.59% <0%> (-0.01%) ⬇️
Impacted Files Coverage Δ
diff/apply/apply_linux.go 47.82% <0%> (-1.43%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7af311b...f3c48da. Read the comment docs.

Copy link

@fuweid fuweid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


Copy link

@estesp estesp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.


@estesp estesp merged commit d6f0c29 into containerd:release/1.3 Oct 25, 2019
dmcgowan pushed a commit to thaJeztah/containerd that referenced this pull request Nov 19, 2019
* Update the runc vendor to v1.0.0-rc9 which includes an additional mitigation for [CVE-2019-16884](
    - More details on the runc CVE in [opencontainers/runc#2128](opencontainers/runc#2128), and the additional mitigations in [opencontainers/runc#2130](opencontainers/runc#2130).
* Add to service file to fix corrupt image after unexpected host reboot. Reported in [containerd#3671](containerd#3671), and fixed by [containerd#3745](containerd#3745).
* Fix large output of processes with TTY getting occasionally truncated. Reported in [containerd#3738](containerd#3738) and fixed by [containerd#3754](containerd#3754).
* Fix direct unpack when running in user namespace. Reported in [containerd#3762](containerd#3762), and fixed by [containerd#3779](containerd#3779).
* Update Golang runtime to 1.12.13, which includes security fixes to the `crypto/dsa` package made in Go 1.12.11 ([CVE-2019-17596](, and fixes to the go command, `runtime`, `syscall` and `net` packages (Go 1.12.12).
* Add Windows process shim installer [containerd#3792](containerd#3792)

* CRI fixes:
    - Fix shim delete error code to avoid unnecessary retries in the CRI plugin. Discovered in [containerd/cri#1309](containerd/cri#1309), and fixed by [containerd#3733](containerd#3733) and [containerd#3740](containerd#3740).

Signed-off-by: Sebastiaan van Stijn <>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

None yet

4 participants